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Abstract. We propose public- key cryptosystems with public key 
a system of polynomial equations, algebraic or differential, and 
private key a single polynomial or a small-size ideal. We set up 
' probabilistic encryption, signature, and signcryption protocols. 

o : 
o ■ 

(N ; 

p |! 1. Introduction 

' This paper focuses on Hidden Monomial Cryptosystems, a class of 

^ ■ public key (PK) cryptosystems first proposed by Imai and Matsumoto 

I— i. [IM85]. In this class, the PK is a system of polynomial nonlinear equa- 

tions. The private key is the set of parameters that the user chooses 
to construct the equations. Before we discuss our variations, we re- 
^ ■ view briefly a simplified version of the original cryptosystem, better 

I— i! described in [Kob99]. The parties throughout this paper are: 

^ ■ • Alice who wants to receive secure messages; 

^ ! • Bob who wants to send her secure messages; 

^ I • Eve, the eavesdropper. 

^ [ Alice takes two finite fields Fg < K, g a power of 2, and (3i, P2, ■ ■ ■ , Pn 

Q I a basis of K as an F^-vector space. Next she takes < h < q"^ such 

■ that h = + 1, and gcd{h,q"' — 1) = 1. Then she takes two generic 

^ . vectors u = {ui, . . . , Un) and v = {vi, . . . , Vn) upon F„, and sets"^: 

IJp I The condition gcd{h,q^ — 1) = 1 is equivalent to requiring that the 

' map u I — *■ u'^ on K is i^i ; its inverse is the map u 1 — > , where 

. , h' is the inverse multiplicative of h modulo — 1. 

In addition, Alice chooses two secret affine transformations, i.e., two 
invertible matrices A = {Aij} and B = {Bij} with entries in Fg, and 
two constant vectors c = (ci, . . . , c„) and d = (c/i, . . . , dn), and sets: 

(2) u = Ax -I- c and \ = By + d. 
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Recall that the operation of raising to the g'^-th power in K is an 
Fq-linear transformation. Let P^^^ = {p^j^} be the matrix of this linear 
transformation in the basis Pi, P2, ■ ■ ■ , Pn, i-e.: 

n 

(3) /3f = E4'/^' 4^^^- 

for 1 < i,k < n. Alice also writes all products of basis elements in 
terms of the basis, i.e.: 

n 

(4) PiPj = ^niijiPi, ruiji e Fg, 

£=l 

for each 1 < i,j < n. Now she expands the equation (1). So she 
obtains a system of equations, explicit in the v, and quadratic in the 
u. She uses now her affine relations (2) to replace the u, v by the x, y. 
So she obtains n equations, linear in the y, and of degree 2 in the x. 
Using linear algebra, she can get n explicit equations, one for each y 
as polynomials of degree 2 in the x. 

Alice makes these equations public. Bob to send her a message 
(xi, X2, ■ ■ ■ , Xn), substitutes it into the public equations. So he obtains 
a linear system of equations in the y. He solves it, and sends y = 
(2/i,?/2, • • • ,yn) to Alice. 

To eavesdrop. Eve has to substitute 2/2, • • • , ?/n) into the pub- 
lic equations, and solve the nonlinear system of equations for the un- 
knowns X. 

When Alice receives y, she decrypts: 

2/1,2/2, ■■■,yn 

V = By + d 

h' 

U = V 

X = A'^{u - c). 

In Eurocrypt '88 [1M89], Imai and Matsumoto proposed a digital 
signature algorithm for their cryptosystem. 

At Crypto '95, Jacques Patarin [Pat95] showed how to break this 
cryptosystem. He noticed that if one takes the equation v = u'^ 
raises both sides on the {q^ — l)-th power, and multiplies both sides 
by uv, he gets the equation uv^ = u'^ v that leads to equations in 
the X, y, linear in both sets of variables. Essentially the equations do 
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not suffice to identify uniquely the message, but now even an exhaus- 
tive search will be feasible. The system was definitively insecure and 
breakable, but its ideas inspired a whole class of PK cryptosystems and 
digital signatures based on structural identities for finite field opera- 
tions [HFE, Moh99, Kob99, Pat96a, Pat96b, GP]. 

The security of this class rests on the difficulty of the problem of 
solving systems of nonlinear polynomial equations. This problem is 
hard iff the equations are randomly chosen. If they really were random, 
the problem is hard to Alice, too. So, all we try to do is to get systems 
of equations that are not random, but appear to be the most possible. 

Our paper is organized as follows. In the next section we develop an 
our own, new cryptosystem. Alice builds her PK by manipulations as 
above, starting from a certain bivariate polynomial. 

All of Alice's manipulations are meant to hide from Eve this polyno- 
mial. It is the most important part of the private key. Its knowledge 
reduces decryption to the relatively easy problem of solving a single 
univariate polynomial of a moderate degree. 

Encryption is probabilistic, in the sense that to a given cleartext 
correspond zero, one, or more ciphertexts. Decryption is deterministic, 
in the sense that if encryption succeeds, decryption does succeed, too. 

Almost any bivariate nonlinear polynomial can give raise to a PK. 
This plentitude of choices is an important security parameter. 

In the third section we discuss some security issues. In the fourth 
one we provide our cryptosystem with a digital signature algorithm. 

In the fifth we provide a signcryption protocol. Signcryption stands 
for joint encryption and signature. 

In the sixth one we discuss some more variations. Essentially, we 
replace the single bivariate polynomial by an ideal of a small size. 

In the seventh section we mention what Shannon [Sti02] calls un- 
conditionally secure cryptosystems. Nowadays they are considered an 
exclusive domain of the private key cryptography. This is due mostly 
to the unhappy state of art of the PK one. 

In the eighth one we extend our constructions to differential fields of 
positive characteristic. We hope they are the suitable environment for 
unconditionally secure PK (USPK) cryptosystems. 

2. A New Cryptosystem 

2.1. Key Generation. Alice chooses two finite fields < K, and 
a basis j3i, f^2, ■ ■ ■ , Pn of K as an F^-vector space. In practice, q = 2. 
However, it can be any p^, for any p prime, and any r G N. 
Next Alice takes a generic (for now) bivariate polynomial: 



(5) 
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in ]K[X, Y], such that she is able to find all its roots in K with respect 
to X; V y G K, if any. For the range of i employed, this is nowadays 
considered a relatively easy problem. Further, f{X, Y) is subject to 
other few constraints, that we make clear at the opportune moment. 

In transforming cleartext into ciphertext message, Alice will work 
with two intermediate vectors, u = {ui, . . . , Un) and v = {vi, . . . , 
u, V e K. She sets: 

(6) 5^a,,uV=0. 

For 7^ 0, she sets somehow: 

rii "3 

(7) i = Y,<f"' and j = Y,q'^\ 

k=l k=l 

where 6'^^, Ojk, rii, h 3 ^^* = {0, 1,2,...}. 

Here somehow means that (7) may or may not be the g-ary repre- 
sentation of j. Taking this freedom, we increase our range of choices, 
whence the random-looking of the PK. In any fashion, what we are 
dealing with, are nothing but identities. 

Next Alice substitutes the (7) to the exponents in (6), obtaining: 

rii no 

(8) 5^(ai,exp(u,^g^»'=)exp(v,^g^^'=)) = 0; 

ij k=l k=l 

that is: 

rii rij 

(9) E(-'.n-^'^n-^'^)=o- 

ij k=l k=l 

Recall that the operation of raising to the q'^-th power in K 
is an Fq-linear transformation. Let P^'^-' = {p^^} ^"6 the matrix of 
this linear transformation in the basis Pi, (32, ■ ■ ■ , Pn, i-e.: 

n 

(10) /3f' = E4^^' Pff^^^^ 

for 1 < i, j < n. Alice also writes all products of basis elements in 
terms of the basis, i.e.: 



;il) PiPj = '^rnijkPk, rriijkeW, 



9' 

k=l 



for 1 < i, j < n. 

Now she substitutes u = {ui,U2, ■ ■ ■ , Un), s^j = {oiji, aij2, . . . , aijn), 
V = {vi,V2, ■ ■ ■ ,Vn), and the identities (10), (11) to (9), and expands. 
So she obtains a system of n equations of degree t in the u, v, where: 

(12) t = max {rii + % '■ ^ij 7^ 0}. 
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Every term under the S in (7) contributes by one to the size of t. 

Here we pause to give some constraints on the range of i, j in (6). 
The aim of this section is to generate a set of polynomials; linear in a 
set of variables, and nonlinear in another one. For that purpose, we 
relate (6) and (7): Siij 7^ ^ {rii > 1, rij = 1}. 

On the other side, the size of PK is 0{n^~^^). So, it grows polynomi- 
ally with n, and exponentially with t. Therefore, we are interested to 
keep t rather modest, e.g., t = 2, 3, or so. So, we have to choose i, j 
in (5), (7) in order to keep t under a forefixed bound. 

Next she takes A = {Aij}, B = {S.^} G GL(¥g), c, d G K, and sets: 

(13) u = ylx + c and v = By + d, 

where x = {xi,X2, ■ ■ ■ , x„), y = {yi,y2, ■ ■ ■ , Un) are vectors of variables. 

Now she substitutes (13) to the equations in the m, v above, and 
expands. So she obtains a system of n equations of degree t in the x, 
y\ linear in the y, and nonlinear in the x. 

After the (13) each monomial XiYj expands into polynomials with 
terms of each degree, from rii + rtj to zero. So, they shuffle better the 
terms coming from different monomials of (9). On the other hand, they 
render the PK very dense, so increase drastically its size. 

At this point, we are ready to define the cryptosystem. 

2.2. The Protocol. With the notations adopted above, we define 
the HPE Cryptosystem (Hidden Polynomial Equations) as the PK 
cryptosystem such that: 

• The public key is: 

— The set of the polynomial equations in the above; 

— The field F^; 

— The alphabet: a set of elements of Fg, or strings of them. 

• The private key is: 

— The polynomial (5); 

— A, B, c, d as in (13); 

— The identities (6) to (11); 

— The field K. 

• Encryption: Bob substitutes the cleartext x = (xi, X2, ■ ■ ■ , Xn) 
in the pubhc equations, solves with respect to the y, and sends 
y = (2/ii?/2) • • • ,yn) to Alice. We assume that solutions exist, 
and postpone the case when there are not. 

• Decryption: Alice substitutes v = By + d G K > Fg in (6), 
and finds all solutions within K. There is at least one. Indeed, 
if X is Bob's cleartext, u as in (13) is one. For each solution u, 
she solves: 



(14) 



X = A^\u - c), 



6 



ILIA TOLI 



and represents all solutions in the basis Pi, (^2, ■ ■ ■ , Pn- It takes a 
Chinese Remainder Theorem. With probability 1, all results 
but one, Bob's {xi,X2, ■ ■ ■ ,Xn), are gibberish, or even stretch 
out of the alphabet. We come back later at this point, too. 

2.2.1. The main suspended question is that of the existence of solu- 
tions. Well, Bob succeeds to encrypt a certain message x iff Alice's 
equation (6) has solutions for u as in (13) for that x. Alice's polyno- 
mial (6) in V for a given u is a random one. It is a well-known fact from 
algebra that the probability that a random polynomial with coefficients 
upon a finite field has a root in it is 1 — ~ 63.2% [Kob99, Mar97]. 

Here the remedy is probabilistic. Alice renders the alphabet public 
with letters being sets of elements of F^, or sets of strings in it. Bob 
writes down a plaintext, and starts encryption. If he fails, he substi- 
tutes a letter or a string of the cleartext with another one of the same 
set, and retries. After s trials, the probability he does not succeed is 
^; practically good enough. 

2.2.2. The other problem is that Alice may have to distinguish the 
right solution among a great number of them. Here is a first remedy. 
Her number of solution is bounded above by the degree in X of /. So, 
it is beter to keep it moderate. Later we give other remedies, too. 

2.3. Observations. Solving univariate polynomial equations is used 
by Patarin, too [Pat96b, Wol02]. He takes a univariate polynomial: 

fix) = E f^^jx'""^'"' + E "^^"'^ + /^O' 

and with manipulations like ours, both the same as Imai-Matsumoto 
[IM85], he gets his PK; a set of quadratic equations. He uses two affine 
transformations to shuffle the equations. We claim that the first one 
adds nothing to the security. 

The bigger the degree of / is, the more the PK resembles a randomly 
chosen set of quadratic equations. So, it is a security parameter. On 
the other side, it slows down decryption, principally by adding a lot 
of undesired solutions. To face that second problem, to the PK are 
added other, randomly chosen, equations. This is its Achilles' heel. 
It makes the PK overdefined, therefore subject to certain facilities to 
solve [SCPK]. So, it weakens the trapdoor problem. 

We do not add equations to discard undesired solutions. Indeed, 
we take the degree in X rather modest, so we do not have so many 
undesired solutions. Thus, we are not subject to attacks exploiting 
overdefined equations. If in certain variations we ever do, we need to 
add less equations, however. 

What is most important, we have now a practically infinite range of 
choices of /. This is not Patarin's case. There the choices are bounded 
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below because of being easy to attack cases, and above because of being 
impractical to the legitimate users. 

The only few constraints we put on monomials of / aim to: 

• keep PK equations linear in the y; 

• have less undesired solutions in decryption process; 

• keep the size of PK moderate; 

• keep all PK equations nonlinear in the x. 

The constraint that all PK equations must be nonlinear in the x is 
the only non- negotiable one. Indeed, if Alice violates it, the trapdoor 
problem becomes fatally easy to Grobner techniques. 

We can take the degree in y arbitrarily huge. It gives no trouble to 
us. We only require the monomials of / to be of the form x*y'^^ for 
i,j G N*, so the public equations come linear with respect to the y. 

Assume now that PK is nonlinear in the y. Once Bob substitutes 
the X in the public equations, he is required to find any solution of 
the system that he obtains. This can be done within polynomial time 
with respect to Bezout number of the system. Later we give settings 
to keep PK nonlinear of low total degree in the y. 

Each of such solutions (if any) is encryption to the same cleartext. 
So we have set up a probabilistic encryption protocol. To a single 
cleartext may correspond zero, one, or more ciphertexts. 

3. Security Issues 

The main data to Eve are the system of public equations and the 
order of extension. By brute force, she has to take (2/1, ?/2, • • • , yn), to 
substitute it in the PK equations, to solve within the base field, and 
to take the sensate solution. Almost surely, there is only one sensate 
solution among those that she finds. She has to find it among of 
them. However, the main difficulty to her is just solving the system. 
Supposedly, it will pass through the complete calculus of a Grobner 
basis. It is a well-known hard problem. 

So, the complexity of the trapdoor problem is 0{t"'). On the other 
hand, the size of the PK is 0{n^~^^). This fully suggests the values 
of the parameters. It is better to take n huge. This diminishes the 
probability that Alice confuses decryption, however close to zero, and, 
what is most important, it renders Eve's task harder. Alice and Bob 
will have to solve sets of bigger systems of linear equations, and face 
Chinese Remainder Theorem for bigger n. 

If we take t very small, we restrict somehow choices of /. If very big, 
it renders the size of PK impractical. Actually, n > 100 and t = 2, 3, 4 
are quite good sample values. If we only take the monomials of / to be 
univariate, PK size is roughly the same as HFE, and we have infinite 
choices still. In any case, later in section 6 we present better settings 
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that all in one: moderate the size of the PK, increase its randomness, 
and contain better the number of undesired solutions. 

There exist well-known facilities [SCPK] to solve overdefined systems 
of equations. Unlike most of the rest, our PK is irrendundant, so it is 
not subject to such facilities. 

Now, by exhaustive search we mean that Eve substitutes the y in the 
public equations, and tries to solve it by substituting values to the x. If 
we have d letters each of them being represented by a single element of 
Fg, the complexity of an exhaustive search is It is easy for Alice 

to render exhaustive search more cumbersome than Grobner attack. 
The last one seems to be the only choice to Eve. 

Affine multiple attack [Pat96b] seems of no use in these settings. 

Obviously, infinitely many bivariate polynomials give raise to the 
same public key. Indeed, fixed the ground field, the degree of exten- 
sion n, and the degree of PK equations, we have a finite number of 
public keys. On the other hand, there are infinitely many bivariate 
polynomials that can be used like private keys. 

On how does it happen, nothing is known. If ever found, any such 
regularity will only weaken the trapdoor problem. 

4. A Digital Signature Algorithm 

For Bob to be able to sign messages, he builds a cryptosystem as 
above with [K^ : Fg^] = ub- Assume now that we are publicly given a 
set of hash functions that send cleartexts to n^-tuples of F^^. 

Bob to sign a message M: 

• calculates H{M) = {yi,y2, ■ ■ ■ ,ynB) = Yb, then v^? = BbYb + 
d-B] 

• finds one solution (if any; otherwise, see section 2.2.1) of 
/b(ub, vb) = in Kb. 

• calculates x = Ab~^{ub — Cb); 

• appends x = (xi, X2, . . . , to M, encrypts, and sends it to 
Alice. {xi,X2, . . . , Xng) is a signature to M. 

To authenticate, Alice first decrypts, then she calculates H[M) = 

{yi, ?/2, • • • , yns)- If {Xi, X2, . . . , Xns), ?/2, • • • , Vub) IS & SolutloU of 

Bob's PK, she accepts the message; otherwise she knows that Eve has 
been causing trouble. 

If Eve tries to impersonate Bob and send to Alice her own mes- 
sage with hash value y = (yi, ?/2, • • • , ^ns), then to find a signature 
(xi, X2, . . . , Xns), she may try to find one solution of Bob's system of 
equations for y. We trust on the hardness of this problem for the 
security of authentication. 

Actually, the hash functions play no role in this class of signatures. 
They may as well output parts of the cleartext itself. 
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5. A SiGNCRYPTION PROTOCOL 

Here is the shortest possible description. Let F4 and Fg be Ahce's 
and Bob's PK functions respectively. To send a message x to Alice, Bob 
sends her a random element of Fa{F^^{x)), that she can decrypt by 
calculating Fb{Fx\Fa{F^\x)))). So if Fa{F^\x)) ^ 0. Otherwise, 
the approach is probabilistic, as in the previous section. 

Here is the extended description. Each letter (or some of them, only) 
is represented by a set of few (two, e.g.) elements of the field, or strings 
of them. For ease of explanation, assume that F^^ = F^^ and ha = ns- 

Bob writes down the cleartext X, calculates = BbX + d^, and 
finds one solution (if any, otherwise see section 2.2.1) of his private 
polynomial fsiX^Y). Next he calculates x^ = A_b~^(ub — c^), that 
he encrypts as above by means of Alice's PK, and sends her the result. 

Alice now first decrypts as in section 2.2. Next, she substitutes the 
x-es she finds into Bob's PK variables x, and solves. There is at least 
one solution, and at most few of them. One of them is Bob's message. 

What is the trapdoor problem now? Well, on authentication matter, 
nothing new. Eve has the same chances to forge here that she had 
before. Recall that this class of signatures is already considered best 
with respect to the other ones. 

On security, instead, there is a very good improvement. By brute 
force. Eve has to take the ciphertext, substitute on Alice's PK, find all 
solutions, substitute them all on Bob's PK, and take the sensate ones. 

Let us assume that the letters are strings of a fixed length. For an 
exhaustive search Eve now has to run throughout all the n-tuples of 
all elements of Alice's ground field; not just throughout n-tuples made 
of letters. She sets up such ri-tuples, checks whether they are solutions 
of Alice's PK for Bob's ciphertext y substituted to the variables y. If 
yes, she substitutes to Bob's PK, and takes the sensate ones. 

So, Alice now has a full freedom on building alphabet. In decryp- 
tion she discards a priori the solutions that contain non-letters. Now 
practically the good solution is unique. 

Apart all, we save the space and calculi of the signature. 

6. Hidden Ideal Equations 

Instead of a single bivariate polynomial, Alice may employ an ideal of 
a very modest size. She separates the variables that she employs within 
two sets, {Xi}, {Yj}-, one for encryption, one for decryption. She may 
decide to leave one of the equations employed of higher degree in the 
{Yj} after manipulations, so she gives raise to a probabilistic encryption 
protocol. Alice obtains her PK with manipulations as in section 2.1 on 
all variables {Xj}, {Yj}. Her parameters are: 

• n = [K : Fg]; 

• the number Si, S2 of variables {Xj}, {Yj}, respectively; 
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• the number r of private equations. 

So, the number of PK equations is tt, ■ r, the number of the variables 
Xij is n ■ Si, and that of the Uki is n ■ S2. 

Ahce's number of variables, the {^i}, is insignificant so far, so she is 
supposed to be able to appeal to Grobner techniques in order to solve 
her system of equations within the field of coefficients for Bob's {Yj}. 

What is most important here and throughout, if Bob succeeds to 
encrypt, Alice does always succeed to decrypt. 

For ease of treatment, assume now that Alice does not apply affine 
transformations to her variables. Bob fails encryption for a certain 
cleartext (Xi, . . .X^J iff Alice's private ideal has no solutions in the 
Y for such an (Xi, . . .X^J. Alice's private ideal is a random one. If 
she takes r < S2, the probability that it has no solutions is ~ 0, and 

1 {01 r > S2. So, it suffices that Alice takes r < S2. The rare critical 
cases that may supervene are faced simply changing alphabet. 

With slight changes, this reasoning holds in the case that Alice ap- 
plies affine transformations, too. 

The real problem is indeed that the solutions to Alice may be too 
many; and in any case finitely many, as the base field is finite. The 
best remedy to that is that Alice takes r = Si. So, the ideal that she 
obtains after substitution of Bob's ciphertext is zerodimensional (quite 
easy to cause it happen), and the number of solutions is bounded above 
by the total degree of the system. So, she can contain the number of 
solutions by taking the total degree in the {Xi} modest. 

Alice can take all equations of very low degree in the X, and then 
transform that basis of the ideal they generate to another one of very 
high degrees in the X. So she has a low Bezout number of the ideal, 
and higher degrees in the X, and transformations as above can take 
place. If she takes the first basis linear, the number of solutions of 
her equations reduce to one: Bob's cleartext. She can substitute Bob's 
ciphertext to any of bases of her private ideal, e.g., to a linear one. 

As soon as r > si, the PK becomes overdefined. 

Alice applies a permutation to the equations and a renumeration to 
the variables before publishing her key, so Eve does not know how are 
they related. She may apply affine transformations, or may not, or 
may apply to only some of the Xj, Yj] at her discretion. 

If Si < S2, the size of the ciphertext is bigger than that of cleartext, 
and nothing else wrong. By this case, encryption is practically always 
probabilistic. Indeed, even when the equations are linear with respect 
to the Uki, since there are more variables than equations, the solutions 
exist, and are not unique. 

Actually, Alice can take a big S2. She may choose to manipulate 
some of the Yj within a subfield of K, rather than within K. Doing 
so, she is allowed a big S2, and a contained size of the ciphertext. The 
number of the variables yki now is no more n ■ S2- 
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One can employ this protocol for signcryption. The sizes of cipher- 
texts throughout are roughly equal to those of the plaintext ones. So, 
one can use all the protocols we describe throughout for multiple en- 
cryption as well. They seem suitable for private key schemes, too. 

Now the size of the PK is 0{si{ny~^^), and the complexity of the 
trapdoor problem is 0{t'^'^^). 

Even though the size of PK throughout grows polynomially with n, 
before n becomes interesting, the PK is already quite cumbersome. So, 
opting for the choices of this section we can employ much smaller n, 
whence moderate a lot the size of the public key. 

Actually, = 20 or so is quite good. We are allowed some more 
values of t, too. Alice takes Si as big as she can handle, e.g., Si = 
5, 6, 7, or more. 

For nsi fixed, the bigger si is, the exponentially less cumbersome 
the PK is, and the exponentially harder becomes Eve's task. 

Generally speaking, Alice's task becomes exponentially harder with 
Si, too. In practice, it depends very much on whether does she have 
any good basis of her private ideal, or not. In any case, the speeds of 
becoming harder of tasks of Alice and Eve are quite different. 

6.1. There exist classes of ideals called with doubly exponential ideal 
membership property [Swa] . These are the ideals for which the calculus 
of a Grobner basis requires doubly exponential time on the number of 
variables. It is very interesting to know whether can we employ them 
in some fashion in this class of crj^tosystems. In any fashion, this 
is the theoretical limit for employing solving of polynomial systems of 
equations in PK cryptography. 

7. Some Considerations 

The idea of PK was first proposed by Diffie and Hellman [DH76]. 
Since then, it has seen several vicissitudes [Odl91, Mora, Morb]. 

A trapdoor function is a map from cleartext units to ciphertext units 
that can be feasibly computed by anyone having the PK, but whose 
inverse function cannot be computed without its knowledge: 

• either because (at present, publicly) there is no known way; 

• or there are, but the amount of calculi is deterring. 

Shannon [Sti02] called unconditionally secure cryptosystems those 
with trapdoor of the first class. 

Actually, the aim is to render the trapdoor problems equivalent to 
time-honoured hard mathematical problems. Being of a problem hard 
or undecidable implies nothing a priori about the security of a cryp- 
tosystem [Odl91], however. 

Recall that of all schemes ever set up, only two of them, RSA 
[RSA78] and ECDL [Kob99], are going to be broken (or, at least, are 
going to become impractical) by solving their hard problems. 
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The author is very fond of the idea of the PK, and beheves howsoever 
in new developments that will make it fully suffice for all purposes. 

Actually, one tendency is that of investigating poor structures, mean, 
structures with less operations, like groups, semigroups with cryptosys- 
tems upon the word problem [AAFGOl, Yam98, Hug02]. Yamamura's 
paper [Yam98] can be considered a pioneering USPK. Unfortunately, 
its scheme is still uneffective. 

William Sit and the author are investigating rich structures. We 
are investigating among other things effective USPK schemes upon 
differential fields of positive characteristic. We hope that cryptography 
will arouse new interests on differential and universal algebra, too, as it 
did in number theory and arithmetic geometry. One reason of optimism 
is that in universal algebra one can go on further with new structures 
and hard or undecidable problems forever. Until now we have appealed 
to only unary and binary arithmetic operations. 

8. Generalizations on Differential Fields 

Differential^ algebra [Kol73, Sit02, RitSO, Sad, Kap57] owes its exis- 
tence mostly to the efforts of Ritt [RitSO] to handle differential equa- 
tions by means of algebra. 

A differential field is a field F endowed with a set of linear maps 
9 : F — > F called derivatives, such that: 6{ah) = a9{b) + 6{a)b. 

Kaplansky's booklet is perhaps the best introduction in the topic. 

The schemes given throughout work as well in differential settings. 
Take K to be a finite differential field extension of a differential field F 
of positive characteristic'^. Any such IK is defined by a system of linear 
homogeneous differential equations, and there are structural constants 
defining the operations for the derivations (one matrix for each deriva- 
tion), as well for multiplication. 

One can now replace (5) with a differential polynomial of higher 
order and degree. Throughout section 6, one can replace ideals with 
small suitable differential ideals, too. The schemes work verbatim. 

The techniques given throughout for polynomials, if applied to dif- 
ferential polynomials, will definitely make it much harder to attack any 
protocol developed. Any affine transformation (by this is meant a lin- 
ear combination of the differential indeterminates with not-necessarily 
constant coefficients, and this linear combination is then substituted 
differentially in place of the differential indeterminates) will not only 
even out the degrees, but also the orders of the various partials, and 
making the resulting differential polynomials very dense. 



Most of considerations given in this section are suggestions of professor Sit 
through private communications. 

■^In zero characteristic numerical analysis tools seriously affect security, or at 
least constrain us to more careful choices. We shall not dwell on this topic here. 
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However, there is one thing to caution about: any time one specifies 
these structural matrices, they have to satisfy compatibihty equations. 
In the algebraic case, it is the relations between = {pi/''^ in (10) 
and = {rriiji} in (11). The P'' are simply determined uniquely by 
Mi, given the choices implicitely defined in (11). 

It is very interesting to know in the algebraic case whether Alice's 
PK is invariant under a change of basis, all the other settings being 
equal. There is probably some group of matrices in GL{n, q) that can 
do that. Such a knowledge would only weaken all cryptosystems based 
on equations systems solving. 

In the differential case there is a similar action called Loewy action, 
or the gauge transformation. For ordinary differential equations, two 
matrices A, B are Loewy similar if there is an invertible matrix K 
such that A = 5K ■ + KBK~^. Using this action, one can classify 
the different differential vector space structures of a finite dimensional 
vector space. There is also a cyclic vector algorithm to find a special 
basis, so that the differential linear system defining the vector space 
becomes equivalent to a single linear ODE. 

If no other problems arise for the differential algebraic schemes, there 
is however one caution more for them to be unconditionally secure. We 
have to avoid the exhaustive search. For that, Alice has to publish 
a finite alphabet where each letter is represented by an infinite set, 
disjoint sets for different letters. This is possible in differential fields, 
as they are infinite. Alice renders the sets public parametrically, as 
differential algebraic functions of elements of the base differential field, 
and parameters, e.g., in Z. Bob chooses a letter, gives random values 
to parameters, obtains one representant of the letter, and proceeds 
as above. In any case, if /i is the order of public equations, any two 
elements S, 6 G F such that (S — 0)^'^) = must represent the same 
letter, if any. 

In the algebraic case such constructions do not make sense, as the 
base field is finite. Besides, Grobner attack is always at hand. 

The main care for Alice is that the PK equations must not fall into 
feasible cases by well-known means, such as linear algebra. 

Now the size of the PK is (9(ri*°+^), where o is the order of PK 
equations. Quite explosive!!! One more reason to take g = 2, so some 
more monomials reduce to zero. 

Anyway, we do not have to increase parameters for better security. 
The trapdoor problem is simply undecidable. Unlike the algebraic case, 
we can split cleartext into small strings. Actually, quite good sample 
values are: n = 20 and t,o = 2, 3, 4, or so. As of now, HDPE trapdoor 
problem seems undecidable, and the scheme effective. 
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